Problem solve Get help with specific problems with your technologies, process and projects.

Separation of duties: Internal user account controls

If your user account administration is dispersed among different departments, you might be looking into centralizing it. This can work, provided you have a trustworthy administrator and separation of duties controls.

I have been a one man security shop for a couple of years, and we are finally considering adding a junior admin. One of the tasks I would like to give this person is security administration. The responsibility is currently distributed among IT operations and business users. My question is twofold: 1) Is it a good practice to centralize account administration? and 2) Who 'watches the watcher?' In other words, if my team has the ability to create accounts, who should be the group to monitor us to make sure we are not doing anything inappropriate? For instance, creating bogus accounts, stealing data and deleting the account immediately afterwards?

Great to hear you're finally getting some relief. You didn't provide any information on your organization's setup...

in your question, so I have to say the answer to your first question is "it depends." The rule of thumb for user account controls is to do it as close to the user as possible: That means you need to be able to verify that the requestor was really the person who made the request, in order to prevent creating accounts when they're not warranted. If you're located in the same general geographic area or can easily contact the requestor to validate that he or she, or his or her manager, made the request, then central administration is fine. If, however, there are language issues, you don't have an easy way to verify user requests, or have a highly distributed, or political, or siloed business model, then distributed administration makes more sense.

As far as who watches the watcher, this question has been debated for years. As mentioned in another question, separation of duty (SoD) best practices dictate that an account administrator should not be able to set up accounts or privileges for him or herself for all the reasons you mentioned above. So in order to monitor these activities, it's important to have an audit function within the organization. Whether this is owned by the legal group, the compliance group or even network engineering -- who can sniff out unauthorized traffic -- the decision is an organization-specific one. If an audit group isn't feasible due to cost, lack of experience, size of organization, politics, etc., then the only alternative is to have HR conduct periodic background checks of the people who have this function. They would look at criminal and financial information to ensure the likelihood of authorized users doing unauthorized activities is not influenced by outside pressures. Great administrators have gone bad due to pressures posed by gambling, divorce, mortgage debt, etc. I'd also look at personality. You want happy people that like their job, who get along well with others and are genuinely honest doing this work. Brooding administrators are always a bad sign.

Finally, the U.S. Government's CERT group has many good guidelines on mitigating the insider threat. You should go to their site and learn all warning signs of potentially dangerous administrators and activities to look out for. Good luck with your new administrator, and hopefully now you can take that vacation I'm sure you've been putting off.

For more information:

This was last published in March 2010

Dig Deeper on Privileged access management